Remove API key requirement and add public HTML pages

Author: lunaticsm

README.md

@@ -3,7 +3,7 @@
 FastAPI application that stores uploaded files to disk, tracks them with SQLModel, and serves them back through a lightweight CDN-like interface.
 
 ## Features
-- Protected upload and listing endpoints secured with an API key header.
+- Public upload and listing endpoints with UUID-based storage.
 - Files stored with generated UUID names while preserving the original name for metadata.
 - Optional background cleaner that prunes files older than a configured retention window.
 - SQLite by default, with configurable database URL via environment variables.
@@ -17,12 +17,6 @@ pip install --upgrade pip
 pip install -r requirements.txt
 ```
 
-Create a `.env` (or export environment variables) with at least:
-
-```
-API_KEY=choose-a-strong-secret
-```
-
 Optional settings:
 
 | Variable | Default | Description |
@@ -43,8 +37,6 @@ uvicorn app.main:app --host 0.0.0.0 --port 8000 --workers 2 --proxy-headers
 
 ## API Overview
 
-All protected endpoints require the header `x-api-key: <API_KEY>`.
-
 | Method | Path | Description |
 |--------|------|-------------|
 | `POST` | `/upload` | Accepts multipart file upload, stores file, returns metadata (`id`, `url`, `size`, `type`). |
@@ -66,12 +58,9 @@ pytest
 ```
 
 The test suite spins up the FastAPI app against a temporary SQLite database to cover:
-- API key enforcement on uploads.
 - Upload/list/serve happy path.
 - Directory traversal hardening for file serving.
 
 ## Deployment Notes
-
-- Ensure `API_KEY` is always set in your deployment environment—startup fails otherwise.
 - When using SQLite, the app configures thread-safe connection settings. For higher concurrency, consider a PostgreSQL or MySQL instance and update `DB_URL`.
 - Mount or back up `UPLOAD_DIR` storage if files need to persist beyond the cleaner retention window.

app/config.py

@@ -3,11 +3,9 @@
 
 load_dotenv()
 
-API_KEY = os.getenv("API_KEY")
-if not API_KEY:
-    raise RuntimeError("API_KEY environment variable must be set")
-
-UPLOAD_DIR = os.getenv("UPLOAD_DIR", os.path.abspath(os.path.join(os.path.dirname(__file__), "..", "uploads")))
+UPLOAD_DIR = os.getenv(
+    "UPLOAD_DIR", os.path.abspath(os.path.join(os.path.dirname(__file__), "..", "uploads"))
+)
 DB_URL = os.getenv("DB_URL", "sqlite:///./cdn.db")
 DELETE_AFTER_HOURS = int(os.getenv("DELETE_AFTER_HOURS", "72"))
 CORS_ORIGINS = os.getenv("CORS_ORIGINS", "*")

app/main.py

@@ -1,13 +1,14 @@
-from fastapi import FastAPI, UploadFile, File, HTTPException, Header, Depends
-from fastapi.responses import FileResponse
+from fastapi import FastAPI, UploadFile, File, HTTPException, Request
+from fastapi.responses import FileResponse, HTMLResponse, JSONResponse
 from fastapi.middleware.cors import CORSMiddleware
 from sqlmodel import SQLModel, create_engine, Session, select
 from urllib.parse import quote
 from pathlib import Path
-from app.config import API_KEY, DB_URL, UPLOAD_DIR, CORS_ORIGINS, DB_CONNECT_ARGS, ENABLE_CLEANER
+from app.config import DB_URL, UPLOAD_DIR, CORS_ORIGINS, DB_CONNECT_ARGS, ENABLE_CLEANER
 from app.models import File as FileModel
 from app.storage import save_file
 from app.cleaner import start_cleaner
+from starlette.exceptions import HTTPException as StarletteHTTPException
 
 app = FastAPI(title="AlterBase CDN API", version="1.0")
 
@@ -25,14 +26,38 @@
 if ENABLE_CLEANER:
     start_cleaner(engine)  # background scheduler
 
-# --- API Key guard ---
-async def require_api_key(x_api_key: str | None = Header(default=None)):
-    if API_KEY and x_api_key != API_KEY:
-        raise HTTPException(status_code=401, detail="Invalid or missing API Key")
+_ERROR_PAGE_PATH = Path(__file__).resolve().parent / "templates" / "404.html"
+_NOT_FOUND_HTML = _ERROR_PAGE_PATH.read_text(encoding="utf-8") if _ERROR_PAGE_PATH.is_file() else "<h1>404 - Not Found</h1>"
+
+_HOME_PAGE_PATH = Path(__file__).resolve().parent / "templates" / "index.html"
+_HOME_HTML = _HOME_PAGE_PATH.read_text(encoding="utf-8") if _HOME_PAGE_PATH.is_file() else "<h1>Welcome</h1>"
+
+_API_PAGE_PATH = Path(__file__).resolve().parent / "templates" / "api.html"
+_API_HTML = _API_PAGE_PATH.read_text(encoding="utf-8") if _API_PAGE_PATH.is_file() else "<h1>API</h1>"
+
+
+@app.exception_handler(404)
+async def not_found_handler(request: Request, exc: StarletteHTTPException):
+    accept = request.headers.get("accept", "")
+    if "text/html" in accept or "*/*" in accept or not accept:
+        return HTMLResponse(content=_NOT_FOUND_HTML, status_code=404)
+    detail = exc.detail if hasattr(exc, "detail") else "Not Found"
+    return JSONResponse({"detail": detail}, status_code=404)
+
+# --- Pages ---
+
+@app.get("/", response_class=HTMLResponse)
+async def home():
+    return HTMLResponse(content=_HOME_HTML)
+
+
+@app.get("/api-info", response_class=HTMLResponse)
+async def api_info():
+    return HTMLResponse(content=_API_HTML)
 
 # --- Routes ---
 
-@app.post("/upload", dependencies=[Depends(require_api_key)])
+@app.post("/upload")
 async def upload(file: UploadFile = File(...)):
     if not file.filename:
         raise HTTPException(status_code=400, detail="Missing filename")
@@ -55,10 +80,10 @@ async def upload(file: UploadFile = File(...)):
         "id": file_id,
         "url": f"/{quote(stored_name)}",
         "size": size_bytes,
-        "type": file.content_type,
-    }
+            "type": file.content_type,
+        }
 
-@app.get("/list", dependencies=[Depends(require_api_key)])
+@app.get("/list")
 def list_files():
     with Session(engine) as session:
         files = session.exec(select(FileModel).order_by(FileModel.created_at.desc())).all()

app/templates/404.html

@@ -0,0 +1,71 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <title>Not Found</title>
+    <style>
+      :root {
+        color-scheme: light dark;
+      }
+      * {
+        box-sizing: border-box;
+        margin: 0;
+        padding: 0;
+      }
+      body {
+        font-family: system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+        min-height: 100vh;
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        background: #0f172a;
+        color: #f8fafc;
+        padding: 2rem;
+      }
+      .card {
+        max-width: 420px;
+        width: 100%;
+        background: rgba(15, 23, 42, 0.8);
+        border: 1px solid rgba(148, 163, 184, 0.3);
+        border-radius: 16px;
+        padding: 2.5rem;
+        text-align: center;
+        box-shadow: 0 24px 60px rgba(15, 23, 42, 0.4);
+      }
+      h1 {
+        font-size: clamp(3rem, 5vw, 4rem);
+        letter-spacing: 0.2em;
+        margin-bottom: 1rem;
+        opacity: 0.9;
+      }
+      p {
+        font-size: 1rem;
+        line-height: 1.6;
+        opacity: 0.8;
+        margin-bottom: 1.5rem;
+      }
+      a {
+        display: inline-block;
+        font-weight: 600;
+        text-decoration: none;
+        padding: 0.75rem 1.5rem;
+        border-radius: 9999px;
+        background: linear-gradient(135deg, #38bdf8, #818cf8);
+        color: #0f172a;
+        transition: transform 0.2s ease, box-shadow 0.2s ease;
+        box-shadow: 0 16px 30px rgba(129, 140, 248, 0.35);
+      }
+      a:hover {
+        transform: translateY(-2px);
+        box-shadow: 0 20px 40px rgba(129, 140, 248, 0.45);
+      }
+    </style>
+  </head>
+  <body>
+    <main class="card">
+      <h1>404</h1>
+      <p>The resource you were looking for isn&apos;t here. It may have been removed or its link is outdated.</p>
+      <a href="/">Back to Home</a>
+    </main>
+  </body>
+</html>

app/templates/api.html

@@ -0,0 +1,128 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <title>AlterBase CDN API</title>
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <style>
+      :root {
+        color-scheme: light dark;
+      }
+      * {
+        box-sizing: border-box;
+        margin: 0;
+        padding: 0;
+      }
+      body {
+        font-family: "Inter", system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+        min-height: 100vh;
+        background: #0f172a;
+        color: #e2e8f0;
+        padding: 3rem 1.5rem;
+      }
+      .container {
+        max-width: 800px;
+        margin: 0 auto;
+        background: rgba(15, 23, 42, 0.75);
+        border: 1px solid rgba(148, 163, 184, 0.25);
+        border-radius: 18px;
+        padding: 3rem;
+        box-shadow: 0 30px 60px rgba(15, 23, 42, 0.4);
+      }
+      h1 {
+        font-size: clamp(2.25rem, 5vw, 3rem);
+        margin-bottom: 0.75rem;
+      }
+      p.lead {
+        font-size: 1.1rem;
+        opacity: 0.85;
+        margin-bottom: 2rem;
+      }
+      section + section {
+        margin-top: 2.5rem;
+      }
+      h2 {
+        font-size: 1.35rem;
+        margin-bottom: 1rem;
+        color: #93c5fd;
+      }
+      pre {
+        background: rgba(15, 23, 42, 0.95);
+        border-radius: 12px;
+        padding: 1rem 1.25rem;
+        overflow-x: auto;
+        font-size: 0.95rem;
+        line-height: 1.6;
+        border: 1px solid rgba(148, 163, 184, 0.2);
+      }
+      code {
+        font-family: "JetBrains Mono", "Fira Code", ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono",
+          "Courier New", monospace;
+      }
+      ul {
+        list-style: none;
+        margin-left: 0;
+      }
+      li {
+        margin-bottom: 0.75rem;
+      }
+      a {
+        color: #38bdf8;
+        text-decoration: none;
+      }
+      a:hover {
+        text-decoration: underline;
+      }
+    </style>
+  </head>
+  <body>
+    <div class="container">
+      <h1>AlterBase CDN API</h1>
+      <p class="lead">Upload files and retrieve shareable URLs with a minimal HTTP API.</p>
+
+      <section>
+        <h2>Base URL</h2>
+        <pre><code>https://cdn.lunaticsm.web.id</code></pre>
+      </section>
+
+      <section>
+        <h2>Endpoints</h2>
+        <ul>
+          <li>
+            <strong>POST /upload</strong><br />
+            Multipart form request with <code>file</code> field. Returns JSON metadata with <code>id</code>,
+            <code>url</code>, <code>size</code>, <code>type</code>.
+          </li>
+          <li>
+            <strong>GET /list</strong><br />
+            Lists stored files ordered by newest first, including original names and timestamps.
+          </li>
+          <li>
+            <strong>GET /{filename}</strong><br />
+            Serves the stored file given the UUID filename returned from <code>/upload</code>.
+          </li>
+        </ul>
+      </section>
+
+      <section>
+        <h2>CURL Example</h2>
+        <pre><code>curl -X POST https://cdn.lunaticsm.web.id/upload \
+  -F "file=@/path/to/photo.jpg" \
+  -H "Accept: application/json"</code></pre>
+      </section>
+
+      <section>
+        <h2>Notes</h2>
+        <ul>
+          <li>Files are stored on disk under the configured uploads directory.</li>
+          <li>The optional cleaner job removes files older than the configured retention window.</li>
+          <li>Use the relative URL from <code>/upload</code> responses to build your CDN links.</li>
+        </ul>
+      </section>
+
+      <section>
+        <a href="/">← Back to home</a>
+      </section>
+    </div>
+  </body>
+</html>